ChoicePoint -- What We Learned from Our Screw-up

xpangler points out an article in Baseline magazine in which "ChoicePoint's lead privacy & compliance executives talks about the 'more than 30' new practices and procedures the company has put in place since it mistakenly sold private data on 163,000 people to Nigerian criminals last year."

Lesson 1

[OakDragon]

Never trust anyone who says things like "Greetings!" and "Honorable", and who CAPITALIZES in very ODD places.

Re:Lesson 1

[Rosco+P.+Coltrane]

Never trust anyone who says things like "Greetings!" and "Honorable", and who CAPITALIZES in very ODD places.

Okay, I certainly won't trust you anymore then...

Re:Lesson 1

[soren42]

Never trust anyone who says things like "Greetings!" and "Honorable", and who CAPITALIZES in very ODD places.

Wait, wait, wait - we're not supposed to trust Japanese-Americans?

Re:Lesson 1

[soren42]

I wasn't trolling - sorry - I should have been clear... I was aiming for sterotypically-incorrect in a samuri-movie fashion.

I don't bear any ill will to Japanese-Americans. I don't really believe that all Japanese-Americans say things like "Greetings!" and "Honorable", all while speaking in ODD CAPITAL LETTERs. It's only Hollywood that wants me to believe this. Well, that and some of my manga. I trust Hollywood much more, though. They speak truth in every scene of every work.

See, you can find out more about this novel concept here....

Re:Lesson 1

See, you can find out more about this novel concept here....

A wikipedophilia-link does not make your statement funny. We mod you "troll" because there is no "unfunny asshole"-option.

Re:Lesson 1

[soren42]

Well, there should be, damnnit. It's no wonder the majority of posts of Slashdot go unmoderated.

Re:Lesson 1

[pipingguy]

I have points now. How do you want me to mod?

Karma reduction in 5, 4, 3...

Re:Lesson 1

And you are modded funny because there is no "funny asshole" option.

Mental translation

[finkployd]

Perhaps I am too cynical, but when I see this:
Carol DiBattiste, ChoicePoint's chief credentialing, compliance and privacy officer, says the company has taken numerous steps in the past year to make sure such a breach never happens again.

I cannot help but think they actually mean:
Carol DiBattiste, ChoicePoint's chief credentialing, compliance and privacy officer, says the company has taken numerous steps in the past year to make sure such a breach is never made public again.

Really, the ONLY consequence a company like this suffers from a breach is negative publicity and maybe a token fine. Even bad publicity is not really a problem for them since the people they hurt have no say in whether or not to do business with them.

When that is the case, I'll bet it much easier to clamp down on leaks and not reveal breaches to the public/government than prevent them.

Finkployd

Re:Mental translation

[aztec+rain+god]

Isn't the real lesson from that whole debacle that Choicepoint has no business handling my personal information? It seems to me like if they really were to 'get it', they would find a different line of work to be in, and perhaps do some form of good for humanity. In my mind, the real transgression going on wasn't the 160,000- odd cases of Nigerians getting their hands on the personal data, its the unknown number of 'legitimate' transactions.

I think you've hit a good point, that people have no say as to what is done with their info. There really needs to be a mechanism, or a form or something where I can tell Choicepoint to delete any records having to do with me.

Re:Mental translation

[Red+Flayer]

As evidenced by (FTFA):

Another new measure: ChoicePoint this month created a security advisory committee comprised of DiBattiste, the company's CIO, head of internal audit, the chief business officer, chief marketing officer, chief administrative officer and general counsel. The group meets regularly "to ensure we're hitting every aspect of security and privacy," says DiBattiste.

Emphasis mine.

Maybe it's just me, but a roomful of CxOs, including the CMO (WTF? What's wrong with VP of Marketing?[1]), plus a lawyer can only equal one thing -- a PR push plus some moves to limit liability.

[1] Speaking of stupid CxO titles, what the hell is a "Chief Administrative Officer"? We call those "Office Managers" around here... or maybe even "Chief Operations Officer" if we're feeling perky. But who wants a title that screams "Long-tenure secretary"? Maybe it's just a problem with assigning titels to people who sit on the board of a company (e.g., are legal Officers) but fulfill more mundane roles in terms of operations.

Re:Mental translation

When that is the case, I'll bet it much easier to clamp down on leaks and not reveal breaches to the public/government than prevent them.

That thinking is totally backwards. They made a big mistake, the punishment was very minor. They make a mistake again and they then do something illegal and suppress the mistake and they get slammed? This is just like hit and run, if you run into someone, often if it's considered an "accident", you are fine, UNLESS, you run, then you're screwed. Better to take the bad pub up front and admit it than to try to keep it quiet and then end up going to jail. After all, if they do goof again, the reprecussions won't be nearly as bad if they showed that they took good faith efforts to avoid a problem (which to me is what the statement is truely about).

Re:Mental translation

[finkployd]

What repercussions? Did they lose business? Sure they got hit with a 10 million dollar fine but look at their financial statements, that is barely a drop in the bucket for them.

Honestly, companies are losing hundreds of thousands of records containing personal data every week, THERE ARE NO REPERCUSSIONS! They say oops, a couple of blogs report it, and life goes on for them. Sure some people get royally screwed but those people cannot trace it back to the company that had the breach. Heck, the government is losing data on its employees and military people, do you really think they are in any position to punish anyone for it? They don't even try anymore.

Finkployd

Re:Mental translation

THERE ARE NO REPERCUSSIONS! They say oops, a couple of blogs report it, and life goes on for them.

That was my point. If the worse thing that will happen is a small fine and a hand slap, why would they take the risk of actually doing something illegal and going to jail by actually trying to cover up the mistake?

Re:Mental translation

[Billosaur]

[1] Speaking of stupid CxO titles, what the hell is a "Chief Administrative Officer"?

a) Chief Administrative Officer - in charge of paper clip chains and bottom photos from the copiers

b) Chief Administrative Officer - new member of the Enterprise bridge crew:
Picard: ...and this Commander Throckmorton, our Chief Administrative Officer.

Re:Mental translation

[Zathrus]

has taken numerous steps in the past year to make sure such a breach is never made public again.

That's not up to them, however. The only way they can do that currently is to not keep any information whatsoever on a resident of California. Why? Because California has some of the best consumer privacy protection laws on the books. In this case the one that matters is the legally required disclosure of any potential privacy breach of residents. You are required to notify the residents that are affected... and if the media gets a whiff of it, the first question out of their mouths will be "how many people outside of California?" followed by "And are you going to notify them as well?".

Of course, ChoicePoint, along with all of the other big credit aggregators, are currently lobbying the Federal government for an "improved" consumer information protection bill. One of the major points of the bill is that it would supercede all state laws -- thus rendering California's (and a dozen or so other states) better laws invalid. All in the name of unified laws across the nation -- and at the consumer's expense.

q[the ONLY consequence a company like this suffers from a breach is negative publicity]q

And you don't think that's significant? ChoicePoint isn't the only game in town, even in their specialized arena (they're a spinoff of Equifax). If they get a bad reputation for poor security then companies will stop doing business with them and start doing business with a competitor.

And, contrary to many people, I do think these companies serve a valuable purpose. We would not have nearly the level of easily available credit in the US if it wasn't for them. And easily available credit leads to more home ownership, more small business startups, and numerous other advantages. Sure, it leads to some people drowning in credit debt as well, but that's due to irresponsibility on the part of both the person and the creditor -- in fact, accurate credit data is more likely to help avoid this problem than increase it.

The issue is that consumers have little to no control over the data at this point -- you're only allowed to place a credit freeze in a handful of states (and the "warning" that you can place on your report is universally ignored). There's insufficient protections against inaccurate data. And getting access to your own report is still overly difficult (although it's improved greatly in the last year, now that everyone can get a free copy every year (twice a year in Georgia)).

Re:Mental translation

[Red+Flayer]

"Isn't the real lesson from that whole debacle that Choicepoint has no business handling my personal information?"

But that is their business -- handling and selling your information :)

It would be more accurate to say that Choicepoint has no business if not handling your information (for better or worse).

Re:Mental translation

[pla]

the company has taken numerous steps in the past year to make sure such a breach is never made public again.

And you call yourself a cynic?

As the scariest part about the original phrasing, I think Carol DiBattiste really means it... As in, she seriously has such a poor grasp of technology that she doesn't recognize "never happens again" as an impossibility.

Any network security novice could tell her that it will happen again. They can take steps to contain such leaks; to minimize what a single attack can reveal; to speed detection of a intrusion; To improve the ability to catch and prosecute the perpetrator. But "never happens again" means they have done none of the above, instead trusting spoooooky technology X about which Ms. DiBattiste has absolutely no grasp.



Even bad publicity is not really a problem for them since the people they hurt have no say in whether or not to do business with them.

I think you've hit on the bigger issue here... Not that they had a problem, not that they've dealt inadequately with that problem, but that the even exist! Worthless parasites like ChoicePoint shouldn't get even one strike - When the real nature of businesses like this come to light, they should summarily suffer the corporate death penalty along with complete dissolution of all assets INCLUDING personal assets of anyone ethically challenged enough to fund such anti-human ventures. No mercy, put these leeches down.

Re:Mental translation

[finkployd]

ChoicePoint isn't the only game in town, even in their specialized arena (they're a spinoff of Equifax). If they get a bad reputation for poor security then companies will stop doing business with them and start doing business with a competitor.

But why? How does their inability to protect data really hurt their customers one bit? What would the motivation be in dropping them because they didn't secure data very well?

And, contrary to many people, I do think these companies serve a valuable purpose. We would not have nearly the level of easily available credit in the US if it wasn't for them. And easily available credit leads to more home ownership, more small business startups, and numerous other advantages.

Without them you might have to wait a few days, or even weeks to get a line of credit. This is not a bad thing, in fact I would venture to guess there would be fewer problems if people DID have to wait for lines of credit. I just bought a house, the process is not lightening fast and you do not need instant credit to do it. And if someone is starting up a business on instant credit then they are not probably not thinking things through or planning very well.

Sure, it leads to some people drowning in credit debt as well, but that's due to irresponsibility on the part of both the person and the creditor -- in fact, accurate credit data is more likely to help avoid this problem than increase it.

Choicepoint has some major accuracy issues as well, so they are probably not helping there. In one notable case (referenced elsewhere in the comments) one person spent a week in jail due to Choicepoint's inaccurate data. I would venture to guess than since they are perceived as accurate, they actually make the situation WORSE by not being accurate. Kind of like how bad security is often worse than no security.

The issue is that consumers have little to no control over the data at this point -- you're only allowed to place a credit freeze in a handful of states (and the "warning" that you can place on your report is universally ignored). There's insufficient protections against inaccurate data. And getting access to your own report is still overly difficult (although it's improved greatly in the last year, now that everyone can get a free copy every year (twice a year in Georgia)).

What sickens me is that while protections are available, you have to pay for them. Not only do you have to pay for them, but you have to pay the people who are irresponsible with your data to begin with, thus necessitating the need for the protections. If that does not sound like a mob style protection racket, I don't know what does.

Finkployd

Re:Mental translation

[finkployd]

Oh ok, yeah I did miss your point the first time.

Good question, in fact once it was seen that they really were not hurt the floodgates opened and it seems nearly everyone company that had personal data started reporting breaches. I don't see where it hurt any of them to do so, most people still think identity thefts happens because of entering your credit card on a web form, not because the IT departments of most banks, credit card companies, data brokers, etc. seem to be staffed by knuckle-dragging morons.

Maybe you are right, maybe they will happily disclose anything and everything that happens knowing that the people it affects cannot do anything about it.

Finkployd

Re:Mental translation

Which means that all of those California residents so affected will be duly notified. ...the rest of the victims can go piss up a rope. Ain't life grand?

Re:Mental translation

[Lehk228]

a friend of mine's husband went to prison for that, he was speeding and took some guy out. rather than sticking around he hid the smashed up car and is doing 5 years for it.

if he had stuck around he probably would have gotten charged with negligent homicide or less and gotten less than one year

Re:Mental translation

[Gorshkov]

$15 million is a token fine? I wish the hell *I* had a few tokens.

Re:Mental translation

[Mark_Uplanguage]

There really needs to be a mechanism, or a form or something where I can tell Choicepoint to delete any records having to do with me.

How many other companies give you that option? Even my auto mechanic has my address, phone, cell, email, and car information. If I don't go to him anymore and I go back and say delete my information, does he have to? What he wants to include me as a customer to financial backers when he expands? In any event, where's the proof that it's gone? It's certainly a frustrating situation that I've given up on

Re:Mental translation

Exactly, and what happens if after they delete it, their computer system has problems and they restore from a backup that still HAS your info? Do they have to remember you asked to have it deleted?

Now they need to do quality control

[meburke]

ChoicePoint is an aggregator. As much as 20% of their data could be inaccurate. Employers (for instance) make decisions based on ChoicePoint data, even though ChoicePoint "suggests" that they independently verify the accuracy of any negative reports. (Of course, it may work the other way also: 20% inaccuracy suggests that ChoicePoint will give subscribers false positive data, too.) Is this important? Well, Baseline Magazine wrote a nice article on this last year, http://www.baselinemag.com/article2/0,1540,1825320 ,00.asp
http://www.baselinemag.com/article2/0,1540,1825287 ,00.asp
and I was really impressed with the fact that a Home Depot employee spent a week in jail for crimes he did not commit.

Security is only half of it; Accuracy is the other half.

Re:Now they need to do quality control

[Poltron+Inconnu]

Nice way to not read your own FA. He worked for Fry's, not Home Depot.

Re:Now they need to do quality control

[meburke]

Yup- I should have re-read the article before I posted my comment, but I did and I caught it before you commented. Thanks for your polite(!), late, ego-boosting, useless comment. Are you happy now?

Re:Now they need to do quality control-OOOps!

[meburke]

Sorry, the article says Frye's, not Home Depot...I should have double-checkd before writing.

Pop quiz

[Rob+T+Firefly]

It's enhanced user ID and password protections--if employees forget their passwords, they must take a five-question quiz (example: "What year was your Social Security number issued?") to reset it; if they fail that, they must pass a 15-question quiz with a systems administrator.

I'm sure that makes everyone feel better and inspires lots of Holy Grail "What... is your favorite color?" gags, but as long as the info exists in records for someone to verify, it's open to being copied and used by the wrong people.

Re:Pop quiz

if employees forget their passwords, they must take a five-question quiz (example: "What year was your Social Security number issued?") to reset it; if they fail that, they must pass a 15-question quiz with a systems administrator.

Or, they'll just get a co-worker to look themselves up in ChoicePoint!

Non-US?

[mr100percent]

ChoicePoint has blocked access to its network from all non-U.S. Internet addresses, with a few exceptions that DiBattiste declined to detail.

To who? ECHELON?

Re:Non-US?

So they're keeping the data out of countries where it would be legally protected, and ensuring that it is only held and accessed in the USA. That would be a country where:

- There is no privacy legislation that has teeth, and

- The government can ask for the data without any real reason and make it illegal to reveal that the data was turned over.

Feel safe, my American colleagues. (Take that pill if it helps).

Do you ever wonder why foreign citizens won't do business with your companies? Why the Canadians won't let your companies process their data? Why the EU is a bit jumpy about transmitting airline passenger data to you?

Love this quote...

[Rinzai]

And the company now encrypts all data feeds...

Oh. NOW. That would have been my first idea. Sensitive data? Encrypt it!

That's why I don't work in network security.

Re:Love this quote...

[PGC]

and that encryption will really help next time they sell their data to another group of nigerian scammers ....

Turn off the spin

[HardCase]

What repercussions? Did they lose business? Sure they got hit with a 10 million dollar fine but look at their financial statements, that is barely a drop in the bucket for them.

It was a total of $15 million, plus another $4 million in other obligations imposed by the FTC (like third party auditing). Insurance covered $11 million of the $19 million, but Choicepoint had to pony up $8 million of their own money. If you look at their financial statments, you'll see that it's no slap on the wrist - it represented half of their cash. In terms of yearly income, it's about 7% of what the company makes. Plus, I suspect that their insurer will either raise their liability insurance rates or drop them altogether.

I'd say that the penalty was fair. It's not necessary to drive the company out of business - just necessary to give them a sting so that they don't do it again.

-h-

Re:Turn off the spin

[Almost-Retired]

I'd say that the penalty was fair. It's not necessary to drive the company out of business - just necessary to give them a sting so that they don't do it again.

No, sorry, that doesn't cut it with this old fart. Until they are put out of business, and their database put in escrow for purposes of forensics traceing only, with it to be preserved on non-networked servers that it takes a federal court order to gain access to, such shennanigans will continue. While they're at it, I'd be in favor of the top floor executives haveing a hand amputated in the grand old arab justice manner. Maybe both hands for the President of such a company.

I frankly could care less about the collateral damages from putting many of such a companies rank & file people out of work, they knew full well the type of business they were working for. I cannot seriously seperate those people from all the 419 scammers in Nigeria. They're all birds of a feather. Put them out of business, mark them physicly for life and make it damned clear that this is what will happen to everyone that abuses the data they are in charge of. Then and only then will these leaches turn honest.

--
Cheers, Gene

Re:Turn off the spin

[localman]

Good lord. I wonder what would happen to society if we punished mistakes with such extremity. I bet some folks would immediately say "it would be better". But history has many lessons on this topic and that doesn't seem to fit.

Cheers.

Re:Turn off the spin

[MillionthMonkey]

Good lord. I wonder what would happen to society if we punished mistakes with such extremity.

You're missing the point. This isn't about "punishing" a single incident. It's about Choicepoint's whole business model, which would be illegal in a sane world.

Until they radically restructure themselves to make their money in some other way, they shouldn't be in business.

Re:Turn off the spin

[HardCase]

For the longest time, the industry was pretty much unregulated. Now that the FTC is empowered to regulate them, companies like Choicepoint are faced with a choice - they can operate in a haphazard way or they can pay attention to the rules and tighten up their business. I'm no expert in the business, but I'd bet money that the companies are tightening up their business practices. Violations will happen. That's when the FTC steps in, makes a determination based on the nature of the violation and the circumstances surrounding it - and based upon the limits of the law.

That's what happened in the Choicepoint case. You want them out of business? If the FTC had done that, the company would have appealed the punishment and it would have been reduced or waived.

If you really can't tell the difference between Choicepoint and its ilk and the 419 gang, then you've got a problem, I'd say. You may not like what Choicepoint does (I'm no fan, either), but they're not criminals. Their industry probably deserves closer regulation than it gets - I know that my congressional delegation has been trying to get that done for quite a while. Maybe someday...

But driving a company out of business as punishment is a slippery slope that isn't worth sliding down. If we decide that Choicepoint and its ilk should be put out of our misery, then who's next? How bad does the offense have to be to put a company out of business? What category of companies do we go after? Do we take a poll across the nation and close down the companies that the majority of us don't like? I guess that would take care of the lawyers...maybe bill collectors, too. Insurance companys? Probably. Used car lots, too. There are plenty of businesses out there that just have a bad feel to them. That's just the way it is.

I'd say that what happened is just. You give them a sting to convince them not to do it again and to send a wakeup call to their compadres in the business. If it happens again, well, maybe that's a different story.

-h-

Re:Turn off the spin

And obviously the people answering phones and sorting mail there deserve to be punished, because they're contribuing to a business they A) have no control over B) likely do not even understand the business model of and C) probably honestly believe does useful work (possible as a result of B). Good for you. It would be weak to take factors like intent into account when dishing out punishment.

I'll be sure to keep that in mind when it's exposed that your company has been buying overseas slave labor or funding execuitive's trips to Tailand for sex with 11-year-old boys or poluting the local water source or whatnot. You should have known better when you started working there -- it was obvious that the company could not be trusted, and that their business model was unsustainable in a rational world. It doesn't matter that you didn't know what that business model included and had no part in the actual crimes committed -- you should have know.

Re:Turn off the spin

[MillionthMonkey]

And obviously the people answering phones and sorting mail there deserve to be punished, because they're contribuing to a business they A) have no control over B) likely do not even understand the business model of and C) probably honestly believe does useful work (possible as a result of B). Good for you. It would be weak to take factors like intent into account when dishing out punishment.

So the company gets off the hook by having employees and hiding the truth from them. You have a strange sense of morality.

I'll be sure to keep that in mind when it's exposed that your company has been buying overseas slave labor or funding execuitive's trips to Tailand for sex with 11-year-old boys or poluting the local water source or whatnot.

From this I can only assume that if you found out your employer was funding executive sex tour packages you'd be OK with it and would continue to work there. No wonder you posted AC.

Didn't read the article.

[Linux_ho]

I don't think anything they could have done or said would make any difference in my opinion about them.

Re:Didn't read the article.

[NexFlamma]

What if they bought you a pony?

I bet they could afford it now...

Progress Indeed

[SupremoMan]

I have used Choice Point products at my last job. Following their little... ummm... mishap they changed my username (which they assign) from the first latter of my first name followed by my last name to random assortment of character. Progress indeed.

Their Other "Mistake"

[edward.virtually@pob]

When are they going to talk about their "mistake" in 2000 when they helped Bush steal the election in Florida by illegally removing blacks from the voting rolls? Or has everyone forgotten about that by now? It'd sure be nice to see some of these traitors to our country get their Constitutionally mandated punishment, vs. being interviewed in magazines.

Re:Their Other "Mistake"

[Gorshkov]

funny, that - I just read the article that you yourself gave a link to. FTA ..... the list supposed to be a list of felons from the state of Texas. Most of the people on that list had misdemeanors, not felons .... is that THIER mistake, or something you should be pissy about the State of Texas about? 2nd .... the article says that the law fobidding felons to vote unfairly targets minorities because it eliminates 31% of black men from voting. I would be VERY surprised if a third of black men in Florida were felons. And even if they were, again, is that "their" fault, or the fault of the state of Florida for having such a law on their books? If you want to dump on the company for doing something wrong, please, at least, pick on something they *have* done wrong. I have no further information on the incident you're talking about other than the article you provided a link to. If that article is the best you can provide to support your claims, then I'm afraid that your accusations are baseless.

Re:Their Other "Mistake"

[Jah-Wren+Ryel]

the list supposed to be a list of felons from the state of Texas. Most of the people on that list had misdemeanors, not felons .... is that THIER mistake, or something you should be pissy about the State of Texas about?

Its pretty clearly up to Choicepoint to provide accurate data, otherwise if there is no accountability they might as well just make up a bunch of names and use those instead.

If their source was bad, they should have either found another source to validate the data (they should be doing that anyway, it's just good practice to validate the quality of the data you sell -- it is pretty hard to believe that they did not have at least a general idea about the accuracy of the data) or they should not have reported it at all.

Texas certainly has problems if their database is so poor, but in Texas felons who have served their time are not stripped of their right to vote, so it isn't like Texas has the same problem at home.

Re:Their Other "Mistake"

[workindev]

The reason nobody is talking about this is because:

1) It's wrong. The US Civil Rights Commission failed to find a single person who was incorrectly removed from the voting rolls and not allowed to vote in the 2000 election because of the Felon list.
2) ChoicePoint had no authority or means to remove voters from the rolls. Only the local county election officials did. 3) That was 6 years ago, and most whiny liberals have given up crying about this non-issue by now.
4) Subsequent independent media reviews of the Florida 2000 election have all found that the outcome would not have changed using the existing rules that existed on the day of the election.

Re:Their Other "Mistake"

[workindev]

Its pretty clearly up to Choicepoint to provide accurate data, otherwise if there is no accountability they might as well just make up a bunch of names and use those instead.

Actually, no. Per state law requirements, ChoicePoint was hired (by Democrat Ethel Baxtor) to provide a list of possible convicted felons to each county, and each individual county election supervisor was required to verify the names on the list, provide an avenue for appeal, and ultimately remove previously convicted felons from the voter registration rolls.

If their source was bad, they should have either found another source to validate the data (they should be doing that anyway, it's just good practice to validate the quality of the data you sell -- it is pretty hard to believe that they did not have at least a general idea about the accuracy of the data) or they should not have reported it at all.

Again, they were not required to provide validated data. State law placed the burden of validating the names soley on the county election officials.

It was, by the way, the Democrats who wrote and voted for these state laws in Florida after the 1996 Miami mayoral Democratic primary, which was found to have widespread fraud.

What I learned from Their Screw-up

[PingXao]

Americans need an ammendment to their Constitution that guarantees them the Right To Privacy. Then, assumiung a Congress that actually follows the Constitution can be elected, in conjunction with the Right To Privacy there should be a law that prohibits the use or sale of my personal data without my prior consent. Better: it should be against the law to even collect and store that information in any database where the consumer - citizen, if you will - doesn't have the ability to "SQL DELETE FROM * WHERE NAME = ME".

Re:What I learned from Their Screw-up

[NexFlamma]

With the current administration it would only be a matter of time before they removed the government's accountability from that amendment in the name of "fighting terrorism".

Then they'd kick your dog.

Joke?

[PGC]

" ... since it mistakenly sold private data on 163,000 people to Nigerian criminals last year."

This is a joke, right ?

Re:Joke?

[Lehk228]

no, it's not a joke

Consider the Source

[ZWithaPGGB]

Ms. DiBattiste doesn't have a very good rep as a privacy advocate.

mistake?

[nude-fox]

how do you mistakenl sell personal data to nigerian criminals you dont even bother to find out who your customer is?

Re:mistake?

[Shaper_pmp]

Basically, yes.

Eventually this will get established

[marcus]

Most laws, in the USA anyway, come about because of someone else's failure.

Eventually, someone will be seriously hurt by data loss/theft/whatever.

Evenually, the data broker will be forced to pay with blood, money, or time in jail.

Most likely, someone with substantial assets will get bitten bad and still have what it takes to sue the broker out of business...then the legislature AKA lawyers will get involved.

Not surprising

[sheldon]

I had this happen to me. I was supposed to start a job on monday the day after thanksgiving break.

Wednesday I get a call from the head of HR wanting to know about my felony charge in Rochester, NY. I'd never been to Rochester and had no idea what she was talking about.

In this case, the company doing the background check had not even bothered to verify my social security number and such. Just pulled up the name, which isn't all that unique.

Fortunately the HR head understood that these things are often wrong and verified the information. But still... this can be a real problem.